#! /bin/sh

set -e

update_fs_from_statoverride() {
  # I wish a simple dpkg-statoverride --update $file just did
  # the right thing, but it doesn't, so we have to do it manually.
  type=$1
  user=$2
  group=$3
  mode=$4
  file=$5
  if [ -n "$type" -a -n "$group" -a -n "$mode" -a -n "$file" ]; then
    if [ "$(find $file -maxdepth 0 -type $type -group $group -perm $mode)" = "" -a -$type $file ]; then
      chgrp $group $file
      chmod $mode $file
    fi
  fi
}

handle_config_files() {
  runmode=$1

  for file in /etc/freeradius/preproxy_users \
              /etc/freeradius/policy.conf \
              /etc/freeradius/eap.conf \
              /etc/freeradius/experimental.conf \
              /etc/freeradius/huntgroups \
              /etc/freeradius/proxy.conf \
              /etc/freeradius/attrs.pre-proxy \
              /etc/freeradius/hints \
              /etc/freeradius/sql.conf \
              /etc/freeradius/ldap.attrmap \
              /etc/freeradius/attrs \
              /etc/freeradius/policy.txt \
              /etc/freeradius/attrs.accounting_response \
              /etc/freeradius/attrs.access_reject \
              /etc/freeradius/attrs.access_challenge \
              /etc/freeradius/clients.conf \
              /etc/freeradius/acct_users
  do
    set +e
    so=$(dpkg-statoverride --list $file)
    ret=$?
    set -e
    case "$runmode" in
      initial)
        if [ $ret != 0 ]; then
          dpkg-statoverride --add --update root freerad 0640 $file
        fi
        ;;
      upgrade)
        update_fs_from_statoverride f $so
        ;;
    esac
  done

  for dir in /etc/freeradius/certs \
             /etc/freeradius/sites-available \
             /etc/freeradius/sites-enabled
  do
    set +e
    so=$(dpkg-statoverride --list $dir)
    ret=$?
    set -e
    case "$runmode" in
      initial)
        if [ $ret != 0 ]; then
          dpkg-statoverride --add --update freerad freerad 2751 $dir
        fi
        ;;
      upgrade)
        update_fs_from_statoverride d $so
        ;;
    esac
  done
}

case "$1" in
  configure)
        if [ -z "$2" ]; then

          # Changed in 1.1.5-1 for new installs (we used to start at S50
          # and stop at K50)  We now start at S50 and stop at K19 so we
          # start after services which may be used and stop before them.
          update-rc.d freeradius start 50 2 3 4 5 . stop 19 0 1 6 . >/dev/null

          # Set up initial permissions on all the freeradius directories

          if ! dpkg-statoverride --list /var/run/freeradius >/dev/null; then
            dpkg-statoverride --add --update freerad freerad 0755 /var/run/freeradius
          fi

          if ! dpkg-statoverride --list /var/log/freeradius >/dev/null; then
            dpkg-statoverride --add --update freerad freerad 0750 /var/log/freeradius
          fi

          for file in radius.log radwtmp; do
            [ ! -f "/var/log/freeradius/${file}" ] && install -o freerad -g freerad -m 644 /dev/null /var/log/freeradius/${file}
          done

          handle_config_files initial

          action="start"

        else

          handle_config_files upgrade
          action="restart"

        fi

        # Create links for default sites, but only if this is an initial
        # install or an upgrade from before there were links; users may
        # want to remove them...
        if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.0.4+dfsg-4; then
          for site in default inner-tunnel; do
            if [ ! -e /etc/freeradius/sites-enabled/$site ]; then
              ln -s ../sites-available/$site /etc/freeradius/sites-enabled/$site
            fi
          done
        fi

	# Create stub SSL certificate file that became necessary in 2.1.8,
	# with analogous disclaimers, because the admin may yet choose to
	# switch to /usr/share/doc/freeradius/examples/certs/ stuff.
        if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.1.8+dfsg-1; then
          if egrep -q '^[ 	]*\$INCLUDE eap.conf' /etc/freeradius/radiusd.conf && \
             egrep -q '^[ 	]*certdir = \${confdir}/certs' /etc/freeradius/eap.conf && \
             egrep -q '^[ 	]*cadir = \${confdir}/certs' /etc/freeradius/eap.conf
          then
            echo "Updating default SSL certificate settings, if any..." >&2
            test -d /etc/freeradius/certs || mkdir /etc/freeradius/certs
            if test ! -e /etc/ssl/certs/ssl-cert-snakeoil.pem || \
               test ! -e /etc/ssl/private/ssl-cert-snakeoil.key
            then
               make-ssl-cert generate-default-snakeoil
            fi
            if egrep -q '^[ 	]*certificate_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \
               test ! -f /etc/freeradius/certs/server.pem
            then
              serverpem=wasnotthere
	      ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/freeradius/certs/server.pem
	    fi
            if ( egrep -q '^[ 	]*private_key_file = \${certdir}/server.pem' /etc/freeradius/eap.conf && \
                 [ "$serverpem" = "wasnotthere" ] ) \
               || \
               ( egrep -q '^[ 	]*private_key_file = \${certdir}/server.key' /etc/freeradius/eap.conf && \
                 test ! -f /etc/freeradius/certs/server.key )
            then
	      ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/freeradius/certs/server.key
	      sed -i -e 's,^\([ 	]*private_key_file = \${certdir}\)/server.pem$,\1/server.key,' /etc/freeradius/eap.conf
	      if getent group ssl-cert >/dev/null; then
                # freeradius-common dependency also provides us with adduser
	        adduser --quiet freerad ssl-cert
	      fi
	    fi
            if egrep -q '^[ 	]*CA_file = \${cadir}/ca.pem' /etc/freeradius/eap.conf && \
               test ! -f /etc/freeradius/certs/ca.pem
            then
	      ln -s /etc/ssl/certs/ca-certificates.crt /etc/freeradius/certs/ca.pem
	    fi
            if egrep -q '^[ 	]*random_file = \${certdir}/random' /etc/freeradius/eap.conf && \
               test ! -f /etc/freeradius/certs/random
            then
	      sed -i -e 's,^\([ 	]*random_file = \)\${certdir}/random$,\1/dev/urandom,' /etc/freeradius/eap.conf
	    fi
            if egrep -q '^[ 	]*dh_file = \${certdir}/dh' /etc/freeradius/eap.conf && \
               test ! -f /etc/freeradius/certs/dh
            then
              # ssl-cert dependency also provides us with openssl
	      openssl dhparam -out /etc/freeradius/certs/dh 1024
	    fi
	  fi
	fi

        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
          invoke-rc.d freeradius $action || true
        else
          /etc/init.d/freeradius $action
        fi
        ;;
  abort-upgrade)
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
          invoke-rc.d freeradius restart || true
        else
          /etc/init.d/freeradius restart
        fi
        ;;
  abort-remove)
        if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
          invoke-rc.d freeradius start || true
        else
          /etc/init.d/freeradius start
        fi
        ;;
  abort-deconfigure)
        ;;
esac

#DEBHELPER#

exit 0
